In this guide we will setup an OpenGear ACM5004 for remote mgmt and remote SSH capabilities (serial ports) over the mobile network, utilizing DynDNS to enable easy connection to the device.

A fair warning first, I would not use the OpenGear over cellular networks as a permanent solution to access any equipment. The reason being that OpenGears own firewall and security settings is the only protection between the bad guys and the console port of your network equipment.
It can be configured to fail over to cellular networks in case remote access over LAN fails, which may be a more feasible solution.
Personally I use OpenGear remote on a case-by-case basis for when I need to be at two locations at once.

Default settings

By default, the device can be accessed through https://192.168.0.1 and using login credentials “root” / “default”

LAN settings

First off, head over to System > IP on the left hand side and configure the network parameters – typically DHCP.

User credentials

Head over to System > administration and change the password for root.
Next, go to Serial & Network > Users & Group and configure a new user.
In my example, I have created a user called “remotessh” with access to all ports, but without any group membership.

Cellular settings

Go to System > Dial > The tab Internal Cellular Modem. There you choose “Allow outgoing modem communication” before you enter the pin code, by clicking a button labeled “Unlock”.
Furthermore, you need to acquire an APN from your provider, which gives you a public IP rather than a private address on the cellular modem. In my case, using Telenor, the APN is internet.public. Your mobile services provider can supply your with the correct APN.

Dynamic DNS

Since the cellular modem will get a new IP address every time it connects to the GSM network, utilizing a dynamic DNS service is a must. Otherwise you would have to connect to LAN-port and retrieve the IP address manually every time you need to connect remote. (Sounds a bit counterproductive, don’t you think?)

The DynDNS settings used are as follows.

Verifying cellular connectivity

You can verify connectivity both from the dashboard and from Status > Statistics > The tab Failover & Out-of-band / Celluar as shown in the picture below.

And if you have connectivity, you should also DynDNS updated.

Setting up the serial ports

These settings are edited from the menu Serial & Network > Serial Port

Go into one of the ports (or all of them) and tick off “Console Server Mode” and make sure only SSH is ticked off

After you have edited all the ports, it should look something like this:

Setting up Security

Now, as mentioned in the warning, the only thing that stands between your equipments console port and the bad guys, are the OpenGear ConsoleServer – which is not created by and infosec company. Regardless, we should secure it as much as possible.

Service access

In System > Services > The Tab Service Access we can ensure that only HTTPS/SSH and SSH to serial ports are ticked off in the coloumn “Dialout/Cellular”

Brute force protection

From the same menu, in the tab Brute Force you can enable protection for Brute Force attacks against your OpenGear equipment.

Firewall rules

Since we have allowed remote management on the Dialout/Cellular Service access anyone can connect the Console Server. Tighting down this can be done in the built in firewall of the device.
You can access the firewall from System > Firewall > The tab Firewall rules.

As shown my example below, I have granted SSH/HTTPS access from my public IP address.
I have allowed access to port 3001-3004 (the serial ports) from anywhere.
And I have blocked everything else.

A small note, if you would like to connect to the serial port menu from anywhere, you would need to allow SSH from anywhere as well. (See “connecting to the serial ports” below)

Connecting to the serial ports

If you would like to connect to the menu and choose the port from there, you would have to allow SSH access into the device as well.
You will also need to use the username “remotessh:serial” as shown in the picture below

By now you should be good to go for remote access to your equipment! Happy configuration! =)